Security

Twitter has agreed to pay a $150m fine to settle a federal privacy suit over privacy data violations. The row saw the social company reportedly collecting phone numbers and email addresses for account security measures and then using the information for advertising purposes without letting users know. “This practice affected more than 140 million Twitter

by Paul Ducklin LISTEN NOW Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud. With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge. Listen on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found.Or simply drop the URL

The Cybersecurity and Infrastructure Security Agency (CISA) has published a new five-step 5G Security Evaluation Process to help companies improve their security posture before deploying new 5G applications. More specifically, the new guidelines include information about relevant threat frameworks, 5G system security standards, industry security specifications, federal security guidance documents and methodologies to conduct cybersecurity

by Paul Ducklin We’ve often warned about the risks of browser extensions – not just for Chrome, but for any browser out there. That’s because browser extensions aren’t subject to the same strict controls as the content of web pages you download, otherwise they wouldn’t be extensions… …they’d basically just be locally-cached web pages. An

Pro-consumer website Comparitech has released a new report exploring legislation about child data collection in the world’s top 50 countries by gross domestic product (GDP). The document assessed 23 different aspects of these policies to assess whether specific legislation was in place for children’s online data or not. Aspects examined included requirements for privacy policies,

by Paul Ducklin A keen-eyed researcher at SANS recently wrote about a new and rather specific sort of supply chain attack against open-source software modules in Python and PHP. Following on-line discussions about a suspicious public Python module, Yee Ching Tok noted that a package called ctx in the popular PyPi repository had suddenly received

The Cybersecurity and Infrastructure Security Agency (CISA) has added 41 vulnerabilities to its catalog of known exploited flaws this week. The US federal agency has urged all organizations to remediate these vulnerabilities promptly to “reduce their exposure to cyber-attacks.” Federal Civilian Executive Branch (FCEB) agencies are required by law to remediate all vulnerabilities in the catalog by the specified

The US government lacks comprehensive data on ransomware attacks, including how much is lost in payments, according to a new report by the United States Senate Committee on Homeland Security & Governmental Affairs. The report presented the findings of a 10-month investigation into the growing threat of ransomware. It cited FBI figures showing that the agency had

The District of Columbia announced that it sued Meta Platforms Inc. CEO Mark Zuckerberg for his role in the data breach that allowed political consulting firm Cambridge Analytica to target Facebook users during the 2016 US presidential election. The “sweeping investigation” found that Zuckerberg had lax oversight of users and created misleading privacy agreements that resulted in

by Paul Ducklin Face-matching service Clearview AI has only been around for five years, but it has courted plenty of controversy in that time, both inside and outside the courtroom. Indeed, we’ve written about the Clearview AI many times since the start of 2020, when a class action suit was brought against the company in

A new risk analysis published today warns that modern “smart” farm machinery is vulnerable to malicious hackers, leaving global supply chains exposed to risk. The analysis, published in the journal Nature Machine Intelligence, warns that hackers could exploit flaws in agricultural hardware used to plant and harvest crops. Additionally, it said automatic crop sprayers, drones and

by Paul Ducklin Two of the big-news vulnerabilities in this month’s Patch Tuesday updates from Microsoft were CVE-2022-26923 and CVE-2022-26931, which affected the safety of authentication in Windows. Even though they were so-called EoP holes rather than RCE bugs (elevation of privilege, instead of the more serious problem of remote code execution), they were neverthless

The US Department of Justice (DoJ) has announced it will no longer prosecute “good faith” hackers under the Computer Fraud and Abuse Act (CFAA). The historic policy shift was announced in a statement yesterday, which declared that white hat hackers will not be prosecuted for accessing a computer when done to improve cybersecurity. The DoJ defined good-faith

by Paul Ducklin Just a short note to let you know that we were wrong about Firefox and Pwn2Own in our latest podcast… …but we were right about how Mozilla would react in our latest podcast promotional video: Latest podcast 🎧 Listen now! Firefox & Pwn2Own, Apple and an 0-day… and the mathematics that defeated

Pro-Russian hackers have targeted the websites of various Italian institutions and government ministries, law enforcement said on Friday. The attack, which began on Thursday evening and was still in progress as of Friday early afternoon, was reportedly confirmed by Italy’s Postal Police. The attack was launched at around 20:00 GMT on Thursday by the hacker

by Paul Ducklin On Wednesday this week, virtualisation behemoth VMWare published a security advisory describing two just-patched security holes in its products. Virtualisation in general, and VMWare’s product set in particular, is widely used to turn individual physical computers into several “virtual computers” that share the same physical hardware. These virtual computers, known in the

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive to all federal agencies to mitigate two new VMware vulnerabilities. The directive relates to two new vulnerabilities – CVE-2022-22972 and CVE-2022-22973 – that CISA believes threat actors are likely to exploit across numerous VMware products. These are VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM),

by Paul Ducklin LISTEN NOW Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud. [00’22”] Fun Fact. What does the word “non-commensurate” mean? [01’41”] When is cracking passwords legal? [11’08”] Why did Firefox get patched? [15’20”] This Week in Tech. Which computer needed dropping onto the desk?

Pharmacy retailer Dis-Chem recently announced that it had been hit by a data breach affecting the personal details of 3.6 million customers. In a statement, Dis-Chem said it was contracted with a third-party service provider and operator for certain managed services that developed a database for Dis-Chem. The database contained “certain categories of personal information

by Paul Ducklin The 2022 edition of the famous (or infamous, depending on your viewpoint) Pwn2Own competition kicks off later today in Vancouver, British Columbia. (Actually, it’s a so-called “hybrid” event this year, so that entrants who can’t or don’t want to travel, whether for coronavirus or environmental reasons, can participate remotely.) Numerous vendors have

Multinational company Omnicell recently confirmed that it had experienced a data breach after following a reported ransomware attack, impacting internal systems. The company, headquartered in Mountain View, California, USA, learned of the ransomware attack, which it disclosed on May 9 2022 in a 10-Q filing with the Securities and Exchange Commission. More details are likely

by Paul Ducklin Apple’s latest security updates have arrived. All still-supported flavours of macOS (Monterey, Big Sur and Catalina), as well as all current mobile devices (iPhones, iPads, Apple TVs and Apple Watches), get patches. Additionally, programmers using Apple’s Xcode development system get an update too. The details are below. All the details and bulletin

US manufacturing company Parker-Hannifin Corporation has announced a data breach exposing employees’ personal identifiable information (PII) after Conti ransomware actors published reportedly stolen data last month. The firm, one of the largest companies in the world in motion control technologies, revealed in a press release that an unauthorized third party gained access to its IT

by Paul Ducklin Late last week, our Slackware Linux distro announced an update to follow the scheduled-and-expected Firefox 100 release, which came out at the start of the month. The new version is 100.0.1, and we’re running it happily… …but when we clicked on What’s new two days later, to see what was new, we

A former banking IT security boss has been named as the co-chair of the government’s National Cyber Advisory Board, a key institution created as part of its new cybersecurity strategy. Sharon Barber was until recently chief resilience and security officer at Lloyds Banking Group, and will now lead efforts to shape a dialogue between society and

The cyber implications of the Russia-Ukraine conflict were discussed by a panel of international security leaders during the opening plenary session at CYBERUK 2022. The discussion was moderated by NCSC’s CEO Lindy Cameron, who was joined on the stage by the director of the US’ National Security Agency (NSA), Robert Joyce, head of the Australian Cyber

by Paul Ducklin You may not have heard of Curl (or curl, as it is more properly written), but it’s one of those open source toolkits that you’ve almost certainly used anyway, probably very often, without knowing. The open source world provides numerous tools of this sort – ubiquitous, widely used in software projects all over

The European Union (EU) has reached political agreement on new legislation that will impose common cybersecurity standards on critical industry organizations. The new directive will replace the EU’s existing rules on the security of network and information systems (NIS Directive), which requires updating because “of the increasing degree of digitalization and interconnectedness of our society and the

by Paul Ducklin What does the word Glib mean to you? Does it make you think of a popular programming library from the GNOME project? Do you see it as a typo for glibc, a low-level C runtime library used in many Linux distros? Do you picture someone with the gift of the gab trying

Oklahoma City Indian Clinic (OKCIC) this week announced that it experienced a data breach exposing personally identifiable information (PII) of nearly 40,000 individuals. According to a notice posted on the clinic’s website, on May 12, the clinic identified a data security incident that affected its computer system. To investigate the incident, OKCIC enlisted the help